Malicious PDF — malware analysis report

Heuristics 7

• ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
• Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
  Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
• Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
  Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
• Callback phishing phone lure medium SE_CALLBACK_LURE
  Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.
• External URI info PDF_URI
  PDF contains an external URL action
• Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
  The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://midufefew.ru/strik?utm_term=how+do+i+turn+off+call+forwarding+on+my+nec+phone PDF link annotation

  • http://nizavevorupuj.mywebcommunity.org/sutemetur.pdfIn PDF document text
  • http://waystep.site/sagafetemov1lbcd.pdfIn PDF document text
  • https://cdn.sqhk.co/wetaxawirewu/gfiiJRB/osm_vnf_onboarding_guidelines.pdfIn PDF document text
  • https://cdn.sqhk.co/kixepijap/eieigja/pitosuvonolaxana.pdfIn PDF document text
  • https://cdn.sqhk.co/lagazowasobo/hhHjhnA/61596957264.pdfIn PDF document text
  • http://lnstagram-copyright-confirms.com/70711319067vy14w.pdfIn PDF document text
  • http://tamodemuror.getenjoyment.net/lazizejimosiraledabexim.pdfIn PDF document text
  • http://tazizinujumijoj.mywebcommunity.org/how_to_set_time_on_timex_indiglo_digital_watch.pdfIn PDF document text
  • http://bellissimo.online/54755052906xxl64.pdfIn PDF document text
  • http://www.ascendercorp.com/In PDF document text
  • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
  • https://uploads.strikinglycdn.com/files/85eafe30-ed34-49c2-bef5-0fa29dbd4ba5/bariwagugipusisala.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/3c0023a4-1e32-4a33-9c58-1cb02e1e9f02/60392476083.pdfIn PDF document text
  • https://e0bfa911-60eb-4c53-bd8d-ceec25156dfb.filesusr.com/ugd/0a052f_1c5158a01fc64b7aa36976f8c87033b2.pdf?index=trueIn PDF document text
  • https://8c4778c4-ed17-4cf1-86f9-5448e21c5c15.filesusr.com/ugd/6da380_b1dbe4c9c7e340aaa3770f7465869519.pdf?index=trueIn PDF document text
  • https://d4f1f58f-bd44-402a-a4b0-a3aa01e36dbf.filesusr.com/ugd/dffefa_50665aa4e8134c6696a04439938e8002.pdf?index=trueIn PDF document text
  • https://0fe83ef2-ed6b-4f04-a52d-31fe3c58d8d1.filesusr.com/ugd/ade4e6_c40cc03b05c04e72b3e22bc4544f2812.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/c43fd7f3-ced5-4cfc-ae26-da3fbefc64fe/accu_chek_performa_fehlermeldung_e9.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/7d4404d3-c33d-4d65-b22b-ad7df119ce04/93573576040.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/3d3dc729-d6f9-4175-a316-564671896bf9/nowewirusowogeruzo.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/0e7cb119-b584-4423-b1fe-ebb5b2544bd7/what_are_the_dates_of_the_renaissance_festival.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/894ab229-903b-418c-9c8c-0b93553bfc4f/organizational_culture_refers_to.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/095f14eb-9678-4720-98d3-c96eaa29b79a/vuxatetami.pdfIn PDF document text
  • https://uploads.strikinglycdn.com/files/4fe1b664-f389-4502-b41d-2db32846b356/what_are_the_principles_of_treatment_class_9.pdfIn PDF document text
  • https://8488b7ac-84bc-45ae-88ed-26841205fc59.filesusr.com/ugd/7cda3c_df3f910b499b4ffdb4b28ca236f037c7.pdf?index=trueIn PDF document text
  • https://uploads.strikinglycdn.com/files/eac39778-e570-464b-afc1-0103f814a723/is_my_sc_drivers_license_real_id.pdfIn PDF document text
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
  • http://purl.org/dc/elements/1.1/In PDF document text
  • http://ns.adobe.com/pdf/1.3/In PDF document text
  • http://ns.adobe.com/xap/1.0/In PDF document text
  • http://ns.adobe.com/xap/1.0/mm/In PDF document text
  • http://ns.adobe.com/xap/1.0/rights/In PDF document text
  • http://scripts.sil.org/OFLIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.